# Release History

## 1.3.0 (2023-05-09)

### Breaking Changes
> These changes affect only code written against a beta version such as v1.3.0-beta.5
* Renamed `NewOnBehalfOfCredentialFromCertificate` to `NewOnBehalfOfCredentialWithCertificate`
* Renamed `NewOnBehalfOfCredentialFromSecret` to `NewOnBehalfOfCredentialWithSecret`

### Other Changes
* Upgraded to MSAL v1.0.0

## 1.3.0-beta.5 (2023-04-11)

### Breaking Changes
> These changes affect only code written against a beta version such as v1.3.0-beta.4
* Moved `NewWorkloadIdentityCredential()` parameters into `WorkloadIdentityCredentialOptions`.
  The constructor now reads default configuration from environment variables set by the Azure
  workload identity webhook by default.
  ([#20478](https://github.com/Azure/azure-sdk-for-go/pull/20478))
* Removed CAE support. It will return in v1.4.0-beta.1
  ([#20479](https://github.com/Azure/azure-sdk-for-go/pull/20479))

### Bugs Fixed
* Fixed an issue in `DefaultAzureCredential` that could cause the managed identity endpoint check to fail in rare circumstances.

## 1.3.0-beta.4 (2023-03-08)

### Features Added
* Added `WorkloadIdentityCredentialOptions.AdditionallyAllowedTenants` and `.DisableInstanceDiscovery`

### Bugs Fixed
* Credentials now synchronize within `GetToken()` so a single instance can be shared among goroutines
  ([#20044](https://github.com/Azure/azure-sdk-for-go/issues/20044))

### Other Changes
* Upgraded dependencies

## 1.2.2 (2023-03-07)

### Other Changes
* Upgraded dependencies

## 1.3.0-beta.3 (2023-02-07)

### Features Added
* By default, credentials set client capability "CP1" to enable support for
  [Continuous Access Evaluation (CAE)](https://docs.microsoft.com/azure/active-directory/develop/app-resilience-continuous-access-evaluation).
  This indicates to Azure Active Directory that your application can handle CAE claims challenges.
  You can disable this behavior by setting the environment variable "AZURE_IDENTITY_DISABLE_CP1" to "true".
* `InteractiveBrowserCredentialOptions.LoginHint` enables pre-populating the login
  prompt with a username ([#15599](https://github.com/Azure/azure-sdk-for-go/pull/15599))
* Service principal and user credentials support ADFS authentication on Azure Stack.
  Specify "adfs" as the credential's tenant.
* Applications running in private or disconnected clouds can prevent credentials from
  requesting Azure AD instance metadata by setting the `DisableInstanceDiscovery`
  field on credential options.
* Many credentials can now be configured to authenticate in multiple tenants. The
  options types for these credentials have an `AdditionallyAllowedTenants` field
  that specifies additional tenants in which the credential may authenticate.

## 1.3.0-beta.2 (2023-01-10)

### Features Added
* Added `OnBehalfOfCredential` to support the on-behalf-of flow
  ([#16642](https://github.com/Azure/azure-sdk-for-go/issues/16642))

### Bugs Fixed
* `AzureCLICredential` reports token expiration in local time (should be UTC)

### Other Changes
* `AzureCLICredential` imposes its default timeout only when the `Context`
  passed to `GetToken()` has no deadline
* Added `NewCredentialUnavailableError()`. This function constructs an error indicating
  a credential can't authenticate and an encompassing `ChainedTokenCredential` should
  try its next credential, if any.

## 1.3.0-beta.1 (2022-12-13)

### Features Added
* `WorkloadIdentityCredential` and `DefaultAzureCredential` support
  Workload Identity Federation on Kubernetes. `DefaultAzureCredential`
  support requires environment variable configuration as set by the
  Workload Identity webhook.
  ([#15615](https://github.com/Azure/azure-sdk-for-go/issues/15615))

## 1.2.0 (2022-11-08)

### Other Changes
* This version includes all fixes and features from 1.2.0-beta.*

## 1.2.0-beta.3 (2022-10-11)

### Features Added
* `ManagedIdentityCredential` caches tokens in memory

### Bugs Fixed
* `ClientCertificateCredential` sends only the leaf cert for SNI authentication

## 1.2.0-beta.2 (2022-08-10)

### Features Added
* Added `ClientAssertionCredential` to enable applications to authenticate
  with custom client assertions

### Other Changes
* Updated AuthenticationFailedError with links to TROUBLESHOOTING.md for relevant errors
* Upgraded `microsoft-authentication-library-for-go` requirement to v0.6.0

## 1.2.0-beta.1 (2022-06-07)

### Features Added
* `EnvironmentCredential` reads certificate passwords from `AZURE_CLIENT_CERTIFICATE_PASSWORD`
  ([#17099](https://github.com/Azure/azure-sdk-for-go/pull/17099))

## 1.1.0 (2022-06-07)

### Features Added
* `ClientCertificateCredential` and `ClientSecretCredential` support ESTS-R. First-party
  applications can set environment variable `AZURE_REGIONAL_AUTHORITY_NAME` with a
  region name.
  ([#15605](https://github.com/Azure/azure-sdk-for-go/issues/15605))

## 1.0.1 (2022-06-07)

### Other Changes
* Upgrade `microsoft-authentication-library-for-go` requirement to v0.5.1
  ([#18176](https://github.com/Azure/azure-sdk-for-go/issues/18176))

## 1.0.0 (2022-05-12)

### Features Added
* `DefaultAzureCredential` reads environment variable `AZURE_CLIENT_ID` for the
  client ID of a user-assigned managed identity
  ([#17293](https://github.com/Azure/azure-sdk-for-go/pull/17293))

### Breaking Changes
* Removed `AuthorizationCodeCredential`. Use `InteractiveBrowserCredential` instead
  to authenticate a user with the authorization code flow.
* Instances of `AuthenticationFailedError` are now returned by pointer.
* `GetToken()` returns `azcore.AccessToken` by value

### Bugs Fixed
* `AzureCLICredential` panics after receiving an unexpected error type
  ([#17490](https://github.com/Azure/azure-sdk-for-go/issues/17490))

### Other Changes
* `GetToken()` returns an error when the caller specifies no scope
* Updated to the latest versions of `golang.org/x/crypto`, `azcore` and `internal`

## 0.14.0 (2022-04-05)

### Breaking Changes
* This module now requires Go 1.18
* Removed `AuthorityHost`. Credentials are now configured for sovereign or private
  clouds with the API in `azcore/cloud`, for example:
  ```go
  // before
  opts := azidentity.ClientSecretCredentialOptions{AuthorityHost: azidentity.AzureGovernment}
  cred, err := azidentity.NewClientSecretCredential(tenantID, clientID, secret, &opts)

  // after
  import "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"

  opts := azidentity.ClientSecretCredentialOptions{}
  opts.Cloud = cloud.AzureGovernment
  cred, err := azidentity.NewClientSecretCredential(tenantID, clientID, secret, &opts)
  ```

## 0.13.2 (2022-03-08)

### Bugs Fixed
* Prevented a data race in `DefaultAzureCredential` and `ChainedTokenCredential`
  ([#17144](https://github.com/Azure/azure-sdk-for-go/issues/17144))

### Other Changes
* Upgraded App Service managed identity version from 2017-09-01 to 2019-08-01
  ([#17086](https://github.com/Azure/azure-sdk-for-go/pull/17086))

## 0.13.1 (2022-02-08)

### Features Added
* `EnvironmentCredential` supports certificate SNI authentication when
  `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN` is "true".
  ([#16851](https://github.com/Azure/azure-sdk-for-go/pull/16851))

### Bugs Fixed
* `ManagedIdentityCredential.GetToken()` now returns an error when configured for
   a user assigned identity in Azure Cloud Shell (which doesn't support such identities)
   ([#16946](https://github.com/Azure/azure-sdk-for-go/pull/16946))

### Other Changes
* `NewDefaultAzureCredential()` logs non-fatal errors. These errors are also included in the
  error returned by `DefaultAzureCredential.GetToken()` when it's unable to acquire a token
  from any source. ([#15923](https://github.com/Azure/azure-sdk-for-go/issues/15923))

## 0.13.0 (2022-01-11)

### Breaking Changes
* Replaced `AuthenticationFailedError.RawResponse()` with a field having the same name
* Unexported `CredentialUnavailableError`
* Instances of `ChainedTokenCredential` will now skip looping through the list of source credentials and re-use the first successful credential on subsequent calls to `GetToken`.
  * If `ChainedTokenCredentialOptions.RetrySources` is true, `ChainedTokenCredential` will continue to try all of the originally provided credentials each time the `GetToken` method is called.
  * `ChainedTokenCredential.successfulCredential` will contain a reference to the last successful credential.
  * `DefaultAzureCredenial` will also re-use the first successful credential on subsequent calls to `GetToken`.
  * `DefaultAzureCredential.chain.successfulCredential` will also contain a reference to the last successful credential.

### Other Changes
* `ManagedIdentityCredential` no longer probes IMDS before requesting a token
  from it. Also, an error response from IMDS no longer disables a credential
  instance. Following an error, a credential instance will continue to send
  requests to IMDS as necessary.
* Adopted MSAL for user and service principal authentication
* Updated `azcore` requirement to 0.21.0

## 0.12.0 (2021-11-02)
### Breaking Changes
* Raised minimum go version to 1.16
* Removed `NewAuthenticationPolicy()` from credentials. Clients should instead use azcore's
 `runtime.NewBearerTokenPolicy()` to construct a bearer token authorization policy.
* The `AuthorityHost` field in credential options structs is now a custom type,
  `AuthorityHost`, with underlying type `string`
* `NewChainedTokenCredential` has a new signature to accommodate a placeholder
  options struct:
  ```go
  // before
  cred, err := NewChainedTokenCredential(credA, credB)

  // after
  cred, err := NewChainedTokenCredential([]azcore.TokenCredential{credA, credB}, nil)
  ```
* Removed `ExcludeAzureCLICredential`, `ExcludeEnvironmentCredential`, and `ExcludeMSICredential`
  from `DefaultAzureCredentialOptions`
* `NewClientCertificateCredential` requires a `[]*x509.Certificate` and `crypto.PrivateKey` instead of
  a path to a certificate file. Added `ParseCertificates` to simplify getting these in common cases:
  ```go
  // before
  cred, err := NewClientCertificateCredential("tenant", "client-id", "/cert.pem", nil)

  // after
  certData, err := os.ReadFile("/cert.pem")
  certs, key, err := ParseCertificates(certData, password)
  cred, err := NewClientCertificateCredential(tenantID, clientID, certs, key, nil)
  ```
* Removed `InteractiveBrowserCredentialOptions.ClientSecret` and `.Port`
* Removed `AADAuthenticationFailedError`
* Removed `id` parameter of `NewManagedIdentityCredential()`. User assigned identities are now
  specified by `ManagedIdentityCredentialOptions.ID`:
  ```go
  // before
  cred, err := NewManagedIdentityCredential("client-id", nil)
  // or, for a resource ID
  opts := &ManagedIdentityCredentialOptions{ID: ResourceID}
  cred, err := NewManagedIdentityCredential("/subscriptions/...", opts)

  // after
  clientID := ClientID("7cf7db0d-...")
  opts := &ManagedIdentityCredentialOptions{ID: clientID}
  // or, for a resource ID
  resID: ResourceID("/subscriptions/...")
  opts := &ManagedIdentityCredentialOptions{ID: resID}
  cred, err := NewManagedIdentityCredential(opts)
  ```
* `DeviceCodeCredentialOptions.UserPrompt` has a new type: `func(context.Context, DeviceCodeMessage) error`
* Credential options structs now embed `azcore.ClientOptions`. In addition to changing literal initialization
  syntax, this change renames `HTTPClient` fields to `Transport`.
* Renamed `LogCredential` to `EventCredential`
* `AzureCLICredential` no longer reads the environment variable `AZURE_CLI_PATH`
* `NewManagedIdentityCredential` no longer reads environment variables `AZURE_CLIENT_ID` and
  `AZURE_RESOURCE_ID`. Use `ManagedIdentityCredentialOptions.ID` instead.
* Unexported `AuthenticationFailedError` and `CredentialUnavailableError` structs. In their place are two
  interfaces having the same names.

### Bugs Fixed
* `AzureCLICredential.GetToken` no longer mutates its `opts.Scopes`

### Features Added
* Added connection configuration options to `DefaultAzureCredentialOptions`
* `AuthenticationFailedError.RawResponse()` returns the HTTP response motivating the error,
  if available

### Other Changes
* `NewDefaultAzureCredential()` returns `*DefaultAzureCredential` instead of `*ChainedTokenCredential`
* Added `TenantID` field to `DefaultAzureCredentialOptions` and `AzureCLICredentialOptions`

## 0.11.0 (2021-09-08)
### Breaking Changes
* Unexported `AzureCLICredentialOptions.TokenProvider` and its type,
  `AzureCLITokenProvider`

### Bug Fixes
* `ManagedIdentityCredential.GetToken` returns `CredentialUnavailableError`
  when IMDS has no assigned identity, signaling `DefaultAzureCredential` to
  try other credentials


## 0.10.0 (2021-08-30)
### Breaking Changes
* Update based on `azcore` refactor [#15383](https://github.com/Azure/azure-sdk-for-go/pull/15383)

## 0.9.3 (2021-08-20)

### Bugs Fixed
* `ManagedIdentityCredential.GetToken` no longer mutates its `opts.Scopes`

### Other Changes
* Bumps version of `azcore` to `v0.18.1`


## 0.9.2 (2021-07-23)
### Features Added
* Adding support for Service Fabric environment in `ManagedIdentityCredential`
* Adding an option for using a resource ID instead of client ID in `ManagedIdentityCredential`


## 0.9.1 (2021-05-24)
### Features Added
* Add LICENSE.txt and bump version information


## 0.9.0 (2021-05-21)
### Features Added
* Add support for authenticating in Azure Stack environments
* Enable user assigned identities for the IMDS scenario in `ManagedIdentityCredential`
* Add scope to resource conversion in `GetToken()` on `ManagedIdentityCredential`


## 0.8.0 (2021-01-20)
### Features Added
* Updating documentation


## 0.7.1 (2021-01-04)
### Features Added
* Adding port option to `InteractiveBrowserCredential`


## 0.7.0 (2020-12-11)
### Features Added
* Add `redirectURI` parameter back to authentication code flow


## 0.6.1 (2020-12-09)
### Features Added
* Updating query parameter in `ManagedIdentityCredential` and updating datetime string for parsing managed identity access tokens.


## 0.6.0 (2020-11-16)
### Features Added
* Remove `RedirectURL` parameter from auth code flow to align with the MSAL implementation which relies on the native client redirect URL.


## 0.5.0 (2020-10-30)
### Features Added
* Flattening credential options


## 0.4.3 (2020-10-21)
### Features Added
* Adding Azure Arc support in `ManagedIdentityCredential`


## 0.4.2 (2020-10-16)
### Features Added
* Typo fixes


## 0.4.1 (2020-10-16)
### Features Added
* Ensure authority hosts are only HTTPs


## 0.4.0 (2020-10-16)
### Features Added
* Adding options structs for credentials


## 0.3.0 (2020-10-09)
### Features Added
* Update `DeviceCodeCredential` callback


## 0.2.2 (2020-10-09)
### Features Added
* Add `AuthorizationCodeCredential`


## 0.2.1 (2020-10-06)
### Features Added
* Add `InteractiveBrowserCredential`


## 0.2.0 (2020-09-11)
### Features Added
* Refactor `azidentity` on top of `azcore` refactor
* Updated policies to conform to `policy.Policy` interface changes.
* Updated non-retriable errors to conform to `azcore.NonRetriableError`.
* Fixed calls to `Request.SetBody()` to include content type.
* Switched endpoints to string types and removed extra parsing code.


## 0.1.1 (2020-09-02)
### Features Added
* Add `AzureCLICredential` to `DefaultAzureCredential` chain


## 0.1.0 (2020-07-23)
### Features Added
* Initial Release. Azure Identity library that provides Azure Active Directory token authentication support for the SDK.
